I met a friend for dinner who found out that someone broke into his online accounts. Naturally, he was concerned about his data, but also the amount of time it would take to fix the problem. I told him one way to reduce the risk of account breaches is to use something called “two factor authentication” or 2FA.
What is Two Factor Authentication (2FA)?
The name two-factor authentication sounds complex to a lot of people. Chances are you’ve already used it in some capacity, but didn’t know it by that name.
Basically, it means that before you can get access to some service, you need to have 2 items. These could include:
|Something you know||account name, password|
|Something in your possession||security key, application, code|
|Some physical attribute||fingerprint, facial recognition|
When you think of getting cash from your bank ATM, you’re using a similar process. You have to have both your bank card and your PIN. The online world can work in a similar fashion.
Instead of just relying on an account name and password, you can add a second level of protection before people get access. This is important when you think of how many times you hear of security problems from large companies. It’s more important if you use the same account name and password on multiple sites like my friend.
Popular Services that Allow 2FA
At this point you might be thinking, that 2FA is fine but you don’t have any services that use it. You probably do, but many sites hide this security feature. Here are some you might know:
- Epic Games
Most of the above companies are household names, but there are smaller players too. The best way to find out who offers this security feature is to go to https://twofactorauth.org/
This is a site started by Josh Davis, an Amazon engineer. The site provides a number of ways to find sites that use two factor authentication and additional information. The site is very easy to use and presents the information in a nice grid.
- There is a search bar at the top where you can enter in a service name. As you start typing the site will show possible matches.
- You can also filter by category. In my example, I’m using the Backup and Sync category.
- Any alerts or exceptions about the company or service.
- A link to that company’s documentation on 2FA.
- An indication of what authentication types the company uses. You’ll also note that you can send a tweet to the company asking for them to support 2FA.
Getting Started with an App
There are a number of methods you can use for two-factor authentication. Perhaps, the best known service is Google Authenticator. Most sites that show a check in the Software Token column in the image above should work.
The way these apps work is to provide a one-time password (OTP) that you use to log in to a service in addition to your regular password.
To give example, when use Cloudflare I sign in as normal with my account name and password. But right after I hit the Login button, I’m greeted with the dialog below.
At this point, I switch to my phone’s 2FA app and get the one-time password.
Using Google’s Authenticator
Time needed: 20 minutes.
- Install the Google app from your appropriate store.
- Using Josh’s 2 Factor Auth list site, find one of your service instructions.
Some websites have a separate security section where you may see the activation settings.
- Navigate to the service page and look for a QR Code you can scan with your phone or tablet.
- Google Authenticator will add your service to your phone and provide a one-time password (OTP).
In the picture below, my password is 274944. I need to enter this code into the confirmation box before it expires. The small circle represents how much of my 30 seconds remains. A new code is generated after that.
- Enter in the code from your app into the service’s Confirm Auth Code box.
Your service may use different terminology such as “second factor token” etc.
- Your account is now configured to 2FA.
Going forward, each time you log into your service, you will be prompted to enter a new code from your app.
More Options than Google
There are a number of alternatives in case you don’t like Google. They all work in a similar fashion in that they generate a one-time numeric pass code on a mobile device. These include:
For example, I prefer Authy. While sites typically reference “Google Authenticator”, you can use Authy instead.
My suggestion is to visit each of these apps to see which one will suit your needs. There are subtle differences such as Authy doesn’t have a circle clock to indicate time, but uses a bar at the top. LastPass Authenticator can bypass codes and uses Approve or Deny buttons.
Caveats & Warnings
Although 2FA is more secure, it’s not bulletproof. This is especially true with SMS. While this is better than nothing, SMS is not as secure as you might think.
There have been a number reports where these text messages were intercepted. Wired magazine had a nice article on this that you might want to read.
Another downside is that you may not be able to transfer your 2FA information when you get a new phone. The setup process doesn’t take a lot of time, but sometimes you need to take additional steps with the provider to remove the previous setup.
As much as I like 2FA, I have to admit there are some aspects that can “bite you in the butt”. Earlier, I had to do a factory reset of my cell phone which has Google Authenticator. I knew I needed to download the app again and go through the setup process.
What I didn’t realize was that some of the services I use had terrible fallback procedures. Most services will have a backup method so you can get back to your account. The typical means include a SMS code or a stored list of private codes that you enter into the app. However, some services tell you to call customer support. In one case, my provider wanted a notarized letter.
My suggestion before you do a factory reset on your cell phone, or get a new one, is to double-check your services. Where possible get a copy of the one time codes you’ll need or set up SMS.
These one time codes are not the same as one-time passwords although the concept is similar. These one time code are usually alphanumeric and stay active until you use it to log into your service. They don’t expire after 30 seconds. They can be used in cases where you don’t have your phone. The downside is you need to place them someplace safe.
If you have a provider that doesn’t have a fallback method, I’d suggest deactivating the service until you get the phone working. While its OK to keep hackers away, it’s exceedingly frustrating when you’re the one locked out.
Invest in Your Security
Although it takes time to set up 2FA with all your services, it’s worth the additional effort. You don’t have to add all of them at once. Start by adding the services that pose the greatest risk. Get used to how the login process works and add more accounts as you get more comfortable.